The attester here is really mostly Google’s Android/Play Services/(ChromeOS) team, not Google’s Chrome team. Chrome is really just responsible for passing it along and potentially adding some more information like what kind of extensions are in use, but the real validator is above Chrome entirely.

There will not really be a worthwhile key inside Chrome (there might be one that does nothing by itself); it’ll be backed by the existing per-device-unique key living inside your phone’s secure enclave. Extracting one key would just cause Google to ban it. That attestation covers the software in the secure enclave, your device’s running OS, bootloader unlock state and a couple of other things along those lines; the OS, guaranteed to be unmodified by the hardware attestation layer, then adds extra stuff on top like the .apk hash of the browser. The browser, guaranteed to be unmodified by the OS layer, can add things like extension info if it wants to.

SafetyNet/Play Integrity have both software and hardware modes, but all Android+Google Services phones released in the previous 6? or so years have been required to have hardware backed attestation support, which has no known bypass. The existing “Universal SafetyNet Fix” pretends to be a phone without hardware support which Google begrudgingly accepts… for now. But the day where Google will just screw over older phones is getting increasingly closer, and they already have the power to force hardware backed attestation for device-specific features like NFC payments and DRM support.

On Apple devices, Apple has parallels via their secure enclaves in the form of App Attest/DeviceCheck. On Windows desktops, there could be a shoddy implementation with TPMs (fortunately they’re not quite powerful enough to do this kind of attestation in a tamper-proof way; Microsoft’s Pluton chips might have some secret sauce we haven’t yet seen, though). On Linux desktops… nope, ain’t no support for this coming anytime ever.

The idea is that it would be similar to hardware attestation in Android. In fact, that’s where Google got the idea from.

Basically, this is the way it works:

• You download a web browser or another program (possibly even one baked into the OS, e.g. working alongside/relying on the TPM stuff from the BIOS). This is the “attester”. Attesters have a private key that they sign things with. This private key is baked into the binary of the attester (so you can’t patch the binary).

• A web page sends some data to the attester. Every request the web page sends will vary slightly, so an attestation can only be used for one request - you cannot intercept a “good” attestation and reuse it elsewhere. The ways attesters can respond may vary so you can’t just extract the encryption key and sign your own stuff - it wouldn’t work when you get a different request.

• The attester takes that data and verifies that the device is running stuff that corresponds to the specs published by the attester - “this browser, this OS, not a VM, not Wine, is not running this program, no ad blocker, subject to these rate limits,” etc.

• If it meets the requirements, the attester uses their private key to sign. (Remember that you can’t patch out the requirements check without changing the private key and thus invalidating everything.)

• The signed data is sent back to the web page, alongside as much information as the attester wants to provide. This information will match the signature, and can be verified using a public key.

• The web page looks at the data and decides whether to trust the verdict or not. If something looks sketchy, the web page has the right to refuse to send any further data.

They also say they want to err towards having fewer checks, rather than many (“low entropy”). There are concerns about this being used for fingerprinting/tracking, and high entropy would allow for that. (Note that this does explicitly contradict the point the authors made earlier, that “Including more information in the verdict will cover a wider range of use cases without locking out older devices.”)

That said - we all know where this will go. If Edge is made an attester, it will not be low entropy. Low entropy makes it harder to track, which benefits Google as they have their own ways of tracking users due to a near-monopoly over the web. Google doesn’t want to give rivals a good way to compete with user tracking, which is why they’re pushing “low-entropy” under the guise of privacy. Microsoft is incentivized to go high-entropy as it gives a better fingerprint. If the attestation server is built into Windows, we have the same thing.

Install Firefox

The problem is that Google has such a monopoly over web browsers that Firefox will most probably have to follow and implement this shit as well.
Smells like “this website is only compatible with Internet Explorer 7 or higher” kind of stuff, those were bad back then, it will be a lot worse now.

All the way. Don’t settle for just chrome plating.

Always has been

There is fx_cast, but it’s not on the same level as Chromecast Integration in Chrome.

The answer seems to be sometimes. There’s a way to natively do it on Android or with an extension on Mac or Linux, there may be an extension for windows too tho.

https://support.mozilla.org/en-US/questions/1171141

Most of the times, the websites check the “user agent string” of the browser. If you can change the user agent to chrome while using those websites, you can eliminate the need of keeping chrome around.

The worrying thing is how many websites may accept this standard. We can choose to use other browsers, sure. But the vast majority of users are uninformed chrome users. They won’t see a change in their day to day web usage. But Firefox, and other Chromium-based browsers like brave and Vivaldi are choosing to not adopt it. It’s only a matter of time before ad blocking doesn’t work on those browsers because major publishers implement this to ensure their content is properly paywalled.

Get chameleon extension for Firefox and spoof having chrome for those sites. Which is what google is trying to prevent

Google sees that their business is at risk.

Primarily Google is an advertisement company. And so their top priority is to profile you to serve you targeted ads. Every single product of Google has this number one priority.

No single entity should be allowed to dictate standards. I’m sure multiple businesses would be interested in going along with this standard, though, so we need something of an internet bill of rights to protect against this sort of thing.

Yes. And you should be able to retain that ability.

The magic words are “user-agent header in http protocol”

Also the goal is not for everyone to spoof everyone else, but the goal is to not trust any information you are given by a browser. A good developer would always find ways to bypass any limits with that so it would be useless anyway.

If this comes live it won’t be so easy. Many operating systems will probably not allow to turn this garbage off or spoof it. Especially android.

Yes Theres browser extensions that do this. I tried one and didn’t work but then today tried chameleon and it worked for a site I need for work that only allows chrome.

deleted by creator

If you just can’t use Firefox, switch to edge or opera.

But… why?

deleted by creator

No. Chromium is far, far from being free of Google’s clutches. If you must use chromium-based browsers (you really shouldn’t) you can try ungoogled-chromium.

Hmm… WEI seems to serve to reduce ad frauds, not as a direct attack on blocking ads, except maybe for those ad blockers that attempt to maximize expenses for the advertisers.

They said it out loud and stopped using that years ago.

Can you rewrite attestation server traffic with a proxy server? What if you had a proxy server that had hundreds of clients and scrambled the requests?

Of course it does, how else are they gonna make website owners pay for the data access?

Brave is even worse than chrome. They would sell your mother if they could get away with it.